Wednesday, 24 April 2013

European parliamentarians question surveillance of air travellers

Today in Brussels the "LIBE" (civil liberties) committee of the European Parliament decisively rejected a proposal backed by European police and some European national governments (and heavily lobbied for by the USA) to establish systems throughout the EU, modeled on those in the USA, for government access to, and use of, airline reservation data (Passenger Name Records or PNRs). [See this video for some MEPs explanations of their votes.]

This disproportionate proposal would have been a grave departure from the constitutional presumption of innocence. Travel itineraries, hotel bookings, credit card details and other personal information of passengers would have been stored in police databases for five years. It would have created an automatic dragnet of this data on the basis of risk profiles without concrete suspicion and without a court order. This unacceptable paradigm shift in security policy would reverse the presumption of innocence, as well as breaching rulings of constitutional courts in Europe and the European Court of Human Rights. Thankfully, MEPs have voted to prevent this and to defend the rule of law and fundamental rights in Europe.

MEPs approved transfers to the U.S. government of PNR data collected in the EU,out of fear that if they didn't, the US would either ground all such flights (unlike) or require visas or otherwise harass all visitors to the U.S. from the EU (a less draconian but nonetheless severe, and more credible, threat). Today's vote not to mandate such a system for flights to, from, or within the EU suggests that acquiescence by the European Parliament to the EU-US PNR agreement was given only under duress.

The US Government has just been prosecuted [I think this refers to my lawsuit - EH] over the agreement on the Passenger Name Record (PNR) of airlines, which has been in place between the EU and the US since 2012.

Although the PNR agreement was supposed to limit the US Government’s use of data, the Department of Homeland Security (DHS) would be able to easily bypass the agreement because of the extensive access the DHS has to databases of companies which aggregate travel records from across the travel industry. The DHS could thus retrieve data from the US offices of Europe-based companies like Amadeus, which store their data and keep records of European travellers’ intra-EU movements.

Does the Commission not consider that, in allowing this, travel companies are constantly violating Directive 95/46/EC on the protection of personal data?

Moreover, there would be no log to show who accessed what data and from where. It would therefore be impossible to audit the DHS, especially as the DHS legally is not bound by the US Privacy Act on the issue.

If this poses a problem, what measures does the Commission intend to take to solve it?

The European Commission is required to respond in writing by 2 May 2013.

I expect that the answer will be similar to the answer given earlier this year by the European Commission to a question by MEP Castex regarding airlines tracking of IP addresses, which are routinely captured (with timestamps) in PNRs. According to Commissioner Reding:

Any processing of client data such as IP addresses must be in line with the national laws implementing the requirements of Directive 95/46/EC; inter alia personal data must be processed on legitimate grounds, for a specific purpose and must be proportionate to the aim pursued. The clients of the travel companies must be informed about the processing.

Without prejudice to the powers of the Commission as guardian of the Treaty, national data protection supervisory authorities are the competent bodies to monitor the application of the national measures implementing Directive 95/46/EC.

The European Commission itself has direct responsibility for supervision and enforcement of the EU Code of Conduct for Computerized Reservation Systems, but has completely neglected that responsibility. It's unclear to whom, or following what procedures, I or any other individual could make a complaint to the Commission about any of the ongoing violations of the Code of Conduct that pervade the operations of the CRSs and are inherent in their current architecture.

"Congress shall make no law ... abridging ... the right of the people peaceably to assemble." (U.S. Constitution)

"Everyone has the right to freedom of movement and residence within the borders of each state. Everyone has the right to leave any country, including his own, and to return to his country." (Universal Declaration of Human Rights)

"Liberty of movement is an indispensable condition for the free development of a person." (United Nations Human Rights Committee)